Prerequisites
Linux OS –Ubuntu Desktop 12.04 LTS discussed herein
Introduction
In Parts 1 & 2 of our C3CM discussion covered the identify and interrupt phases of the process I’ve defined as an effort to identify, interrupt, and counter the
command, control, and communications capabilities of our digital assailants.
In Part 3 I’m going to cover…hey, a squirrel! J In this, the final part of our series, I’ll arm you
for the interrupt phase with ADHD…no,
not that; rather, it’s the Active Defense Harbinger Distribution. You know how
I know I have ADHD? My wife asked me for a glass of water and I made myself
coffee instead. Wait, maybe that’s just selfish…er, nevermind.
I hope you’ve enjoyed utilizing Nfsight with Nfdump, Nfsen,
and fprobe for our identification
phase and BroIDS (Bro), Logstash, and Kibana as part of our interrupt phase. But I have to say, I
think the fun really kicks in here when we consider how to counter our ne’er-do-well denizens of digital destruction. We’ll
install the ADHD scripts on the C3CM Ubuntu system we’ve been building in Parts
1 and 2 but, much as you could have performed the interrupt phase using Doug Burk’s Security Onion (SO), you could
download the full ADHD distribution and take
advantage of it in its preconfigured splendor to conduct the counter phase. The truth of the matter
is that running all the tools we’ve implemented during this C3CM campaign on
one VM or physical machine, all at the same time, would be silly as you’d end
up with port contention and resource limitations. Consider each of the three
activities (identify, interrupt, and counter) as somewhat exclusive. Perhaps, clone
three copies of the C3CM VM once we’re all finished and conduct each phase
uniquely or simply do one at a time. The ADHD distribution (absolutely download
it and experiment in addition to this activity) is definitely convenient and
highly effective but again, I want you to continue developing your Linux foo, so
carry on in our C3CM build out.
John Strand and Ethan Robish are the ADHD project leads,
and Ethan kindly gave us direct insight into the project specific to the full
distribution:
"ADHD is an
ongoing project that features many tools to counter an attacker's ability to
exploit and pivot within a network.
Tools such as Honey Badger, Pushpin, Web Bug Server, and Decloak provide
a way of identifying an attacker's remote location, even if he has attempted to
hide it. Artillery, Nova, and
Weblabyrinth, along with a few shell scripts provide honeypot-like
functionality to confuse, disorient, and frustrate an attacker. And then there are the well-known tools that
help the good guys turn the tables on the attacker: the Social Engineering
Toolkit (SET), the Browser Exploitation Framework (BeEF), and the Metasploit
Framework (MSF).
Future plans for
the project include the typical updates along with the addition of new
tools. Since the last release of ADHD,
there has been some interesting research done by Chris John Riley on messing
with web scanners. His preliminary work
was included with ADHD 0.5.0 but his new work will be better integrated and
documented with the next release of ADHD.
We also plan to dive more into the detection of people that try to hide
their identities behind proxies and other anonymizing measures. Further down the line you may see some big
changes to the underlying distribution itself.
We have started on a unified web control interface that will allow users
of ADHD to control the various aspects of the system, as well as begun
exploring how to streamline installation of both ADHD itself and the tools that
are included. Our goal is to make it as
simple as possible to install and configure ADHD to run on your own network."
Again, we’re going to take, Artillery, Beartrap, Decloak,
Honey Badger, Nova, Pushpin, Spidertrap, Web Bug Server, and Weblabyrinth and
install them on our C3CM virtual machine as already in progress per Parts 1 and
2 of the series. In addition to all of Ethan’s hard work on Spidertrap, Web Bug
Server, and Weblabyrinth, it’s with much joy that I’d like to point out that
some of these devious offerings are devised by old friends of toolsmith.
Artillery is brought to you by TrustedSec. TrustedSec is brought to you by Dave
Kennedy (@dave_rel1k). Dave Kennedy brought us Social-Engineer Toolkit (SET) in
February 2013 and March 2012 toolsmiths. Everyone loves Dave Kennedy.
Honey Badger and Pushpin are brought to you by @LaNMaSteR53.
LaNMaSteR53 is Tim Tomes, who also works with Ethan and John at Black Hills
Information Security. Tim Tomes brought us Recon-ng in May 2013’s toolsmith.
Tim Tomes deserves a hooah. Hooah! The information security community is a
small world, people. Honor your friends, value your relationships, watch each other’s
backs, and praise the good work every chance you get.
Let’s counter, shall we?
ADHD installation
tips
Be sure to install git on your VM via sudo apt-get install git, execute mkdir ADHD, then cd ADHD, followed by one big bundle of
git cloning joy (copy and paste this big boy as a whole):
git clone
https://github.com/trustedsec/artillery/ artillery/&git clone
https://github.com/chrisbdaemon/BearTrap/ BearTrap/&git clone
https://bitbucket.org/ethanr/decloak decloak/&git clone
https://bitbucket.org/LaNMaSteR53/honeybadger honeybadger/&git clone
https://bitbucket.org/LaNMaSteR53/pushpin pushpin/&git clone
https://bitbucket.org/ethanr/spidertrap spidertrap/&git clone
https://bitbucket.org/ethanr/webbugserver webbugserver/&git clone
https://bitbucket.org/ethanr/weblabyrinth weblabyrinth/
Nova is installed as a separate process as it’s a bigger
app with a honeyd dependency. I’m hosting the installation steps on my website but to
grab Nova and Honeyd issue the following commands from your ADHD directory:
git clone
git://github.com/DataSoft/Honeyd.git
git clone
git://github.com/DataSoft/Nova.git Nova
cd Nova
git submodule
init
git submodule
update
The ADHD SourceForge Wiki includes
individual pages for each script and details regarding their configuration and
use. We’ll cover highlights here but be sure to read each in full for yourself.
ADHD
I’ve chosen a select couple of ADHD apps to dive in to
starting with Nova.
Nova is an open-source anti-reconnaissance system designed
to deny attackers access to real network data while providing false information
regarding the number and types of systems connected to the network. Nova
prevents and detects snooping by deploying realistic virtualized decoys while
identifying attackers via suspicious communication and activity thus providing
sysadmins with better situational awareness. Nova does this in part with
haystacks, as in find the needle in the.
Assuming you followed the Nova installation guidance
provided above, simply run quasar
at a command prompt then browse to https://127.0.0.1:8080.
Login with username nova and password toor. You’ll be prompted with the Quick
Setup Wizard, do not use it.
From a command prompt execute novacli start haystack
debug to ensure Haystack is running.
Click Haystacks under Configuration in the menu and
define yourself a Haystack as seen in Figure 1.
FIGURE 1: Nova Haystack configuration |
You can also add Profiles to emulate hosts that appear to
attackers as very specific infrastructure such as a Cisco Catalyst 3500XL
switch as seen in Figure 2.
FIGURE 2: Nova Profile configuration |
Assuming Packet Classifier
and Haystack status show as online, you can click Packet Classifier from the
menu and begin to see traffic as noted in Figure 3.
FIGURE 3: Nova Packet Classifier (traffic overview) |
What’s really cool here is
that you can right-click on a suspect and train Nova to identify that
particular host as malignant or benign per Figure 4.
FIGURE 4: Nova training capabilities |
Over time training Nova will
create a known good baseline for trusted hosts and big red flags for those that
are evil. As you can see in Figure 5, you’ll begin to see Honeyd start killing
attempted connections based on what it currently understands as block-worthy.
Use the training feature to optimize and tune to your liking.
FIGURE 5: Honeyd killing attempted connections |
Nova’s immediately
interesting and beneficial; you’ll discern useful results very quickly.
The other ADHD app I find
highly entertaining is Spider Trap. I come out on both sides of this argument.
On one hand, until very recently I worked in the Microsoft organization that
operates Bing. On the other hand, as website operator, I find crawler &
spider traffic annoying and excessive (robots.txt is your friend assuming it’s
honored). Bugs you too and you want to get a little payback? Expose Spider Trap
where you know crawlers will land, either externally for big commercial
crawlers, or internally where your pentesting friends may lurk. It’s just a wee
Python script and you can run as simply as python2
spidertrap.py. I love Ethan’s idea to provide Spider Trap with a list of
links. He uses the big list from OWASP DirBuster like this, python2 spidertrap.py
DirBuster-Lists/directory-list-2.3-big.txt, but that could just as
easily be any text list. Crawlers and spiders will loop ad infinitum achieving
nothing. Want to blow an attacker or pentester’s mind? Use the list of
usernames pulled from /etc/passwd
I’ve uploaded for you as etcpasswd.txt. Download etcpasswd.txt
to the Spider Trap directory, then add the following after line 66 of
spidertrap.py:
#Attacker/pentester misdirect
self.wfile.write("/etc/passwd ")
Then run it like this: python2 spidertrap.py etcpasswd.txt.
The result will be something that will blow a scanner or manual
reviewer’s mind. They’ll think they’ve struck pay dirt and have some weird
awesome directory traversal bug at hand as seen in Figure 6.
FIGURE 6: Spider Trap causing confusion |
Spider Trap runs by default
on port 8000 but if you want to run it on 80 or something else just edit the
script. Keep in mind if will fight with Apache if you try to use 80 and don’t service apache2 stop.
You can have a lot of fun at
someone else’s expense with ADHD. Use it well, use it safely, but enjoy the
prospect of countering your digital assailants in some manner.
In Conclusion
In closing, for this three part series I’ve defined C3CM
as methods by which to identify,
interrupt, and counter the command, control, and communications capabilities of
our digital assailants.
With ADHD, the counter phase of our C3CM concept, is not
only downright fun, but it becomes completely realistic to imagine taking
active (legal) steps in defending your networks. ADHD gives me the energy to do
anything and the focus to do nothing. Wait…never mind. Next month we’ll
discuss…um, I can’t decide so you get to help!
For November, to celebrate seven years of toolsmith, which of the following three topics should
toolsmith cover?
Tweet your choice to me via @holisticinfosec and email if
you have questions regarding C3CM via russ at holisticinfosec dot org.
Cheers…until next month.
Acknowledgements
John Strand and Ethan Robish,
Black Hills Information Security